In recent years, unauthorized programs (hereinafter, referred to as “malware”) that pose a threat, such as information leakage or unauthorized access, are rampant. Malware receives a command from an attacker via a server or the like after infection, and poses a threat, such as attack or information leakage. Recent malware takes an approach to perform a fake communication with the attacker as a normal communication (see, for example, Non Patent Literature 1).
The number of pieces of detected malware is significantly increasing, and it has been reported that a new piece of malware emerges every few seconds (see, for example, Non Patent Literature 2). Therefore, it is difficult to prevent the threat of malware only by a countermeasure, such as antivirus software, taken by a host. To cope with this, a method of analyzing communication data and identifying a terminal infected by malware to reduce the threat of malware has attracted attention (see, for example, Non Patent Literature 3).
As a method of detecting a malware infected terminal, a method of generating patterns of characteristics of communications observed in malware infected terminals to detect a malware infected terminal is known (see, for example, Patent Literature 1). Examples of the method of detecting a malware infected terminal include a method of taking communication data as an analysis target, making patterns of communication data obtained through a malware analysis, and checking whether the same pattern appears in communications in a monitoring target network (NW) to detect a malware infected terminal.